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Security 

How to make your own 
encrypted VPN server in 15 
minutes 

The best encrypted VPN is 
one that you have set up and 


secured yourself. 

Romain Dillet 

September 30, 2024 

Image Credits:Bryce Durbin / TechCrunch 
You may have seen plenty of online ads 
about paid VPN services. However, as we 
explained in a previous article, it's not a 


good idea to tunnel all your internet traffic 
through a VPN service. 

Unlike what they say on their websites, 
VPN companies usually don't care about 
protecting your privacy. These companies 
get to see all your web browsing history as 
they handle your internet traffic and DNS 
requests. They sometimes even keep logs 
of your IP address and connection history, 
which means that they could potentially 
hand this data over to authorities, or it 
could be stolen by cybercriminals. 

In most cases, you don't need to enable a 
VPN connection before browsing the web 
as nearly all websites are delivered to your 
browser over a secure and encrypted 
connection (called HTTPS). 

But VPNs can be useful from time to time, 
depending on your risk profile, also known 
as a threat model. Sometimes you can't 
access a website from a public network 


because it's blocked. Or you could be 
traveling to a country where the content 
you want to access, such as the news, or 
music- and video-streaming services, 
aren't available. In those cases, it's all 
about minimizing the risk while you use a 
VPN. 

That's why we are going to highlight a few 
different methods to set up your own 
encrypted VPN server at home or in a data 
center near you. 


Easy: Run Tailscale on a spare 


home computer 

Tailscale makes it easy to create a virtual 
network and connect all your devices to 
that network. Tailscale is built on top 

of WireGuard, a rock-solid open source 
VPN protocol that works on pretty much 
any device. 

There are plenty of use cases for Tailscale. 


Developers use it for accessing remote 
servers. Companies use it so that 
employees can access all kinds of 
corporate services even when they're not 
in the office. In our case, we're going to 
use it as an alternative to a VPN service 
that lets you encrypt and redirect all your 
internet traffic. 

If you have a computer that is always 
running at home, or an old laptop that you 
no longer use, download and install 
Tailscale on that device. The Tailscale app 
is available for both Windows and macOS. 
(It's also available on Linux using the 
terminal.) 

Create a Tailscale account, and create your 
first tailnet. In Tailscale’s lingo, a tailnet is 
your own private peer-to-peer mesh 
network that lets your devices interact with 
each other. 

Click on the Tailscale icon in your menu 


bar on macOS or in the taskbar on 
Windows. Turn on Tailscale, and then head 
to the “Exit nodes” menu. Click on “Run 
exit node ...” 

Now, you can install Tailscale on your 
personal devices that you're traveling with, 
such as your laptop or your phone. Install 
Tailscale, then log into your account. You'll 
see your computer running at home in the 
list of devices in your private network. 
Once again, go to the “Exit nodes” section. 
This time, choose your home computer as 
your exit node. That's it! When your 
devices use your home computer as 

their exit nodes, all internet traffic passes 
through that exit node. 

Tailscale's role is to manage the 
coordination server that makes this VPN 
connection possible. This coordination 
server is responsible for distributing the 
public keys to all your devices in your 


Tailscale network so that they can securely 
communicate with each other. Tailscale 
doesn't route traffic through its 
coordination servers. 

As for private keys, they remain on your 
devices at all times. Without those private 
keys, there is no way for anyone else — 
including Tailscale — to decrypt the data 
that flows through your VPN tunnel. With 
this setup, you get all the benefits of an 
encrypted VPN connection without having 
to manually generate, distribute, and 
handle your public keys. 

The result is that even if you're thousands 
of miles away on a very restricted Wi-Fi 
network, you can browse the web as if you 
were located at home. 

At this point you might think, “This is great, 
but | don't want to keep a computer 
running 24/7. The good news is that 
Tailscale lets you turn an Apple TV into an 


exit node. As the Apple TV is designed to 
be constantly running so that it can be 
switched on and used at any time, your 
exit node will also always be constantly 
available. If you're not an Apple TV user, 
you may have an Android-based set-top 
box or an old Android phone in a drawer. 
Tailscale lets you run an exit node on an 
Android device, too. 


Disconnect 


About. 


The exit node sub-menu in Tailscale's 
client on macOS (left) and Windows 
(right). Image Credits:TechCrunch 
(screenshots) 


Medium: Install Tailscale on a 
Raspberry Pi 


If your modem or router is in a peculiar 
spot, you may want to build yourself a 


dedicated Tailscale device and plug it into 
your router with an Ethernet cable. 

In that case, you could buy a Raspberry Pi, 
a tiny, cheap, single-board micro-computer. 
We recommend a Raspberry Pi 4 or 
Raspberry Pi 5, as these models have a 
Gigabit Ethernet port. If you have a fiber 
connection at home, you'll be able to get 
faster speeds with that Gigabit Ethernet 
port when you switch on the VPN 
connection. 

You can flash a microSD card with 
Raspberry Pi Desktop, the operating 
system specifically designed for these 
computers. You'll also need a USB 
keyboard and mouse, as well as a micro- 
HDMI-to-HDMI cable to set up the 
Raspberry Pi. 

After that, you can plug your Raspberry Pi 
to a computer display or a TV and turn it 
on. You'll have to open the terminal and 


run a few commands that are detailed 

on Tailscale's website to install and run 
Tailscale. 

You also need to enable IP forwarding with 
the following three commands on 
Raspberry OS: 

echo ‘net.ipv4.ip_forward = 1' | sudo tee -a / 
etc/sysctl.conf echo 
‘net.ipv6.conf.all.forwarding = 1' | sudo tee 
-a /etc/sysctl.conf sudo sysctl -p /etc/ 
sysctl.conf 

After the last command, run the following 
command: 

sudo tailscale up --advertise-exit-node 

And this completes turning this Raspberry 
Pi into a Tailscale exit node. 

You can now install Tailscale on your 
personal devices that you're traveling with, 
and use the Raspberry Pi as your exit node. 


A Raspberry Pi 5. Image 

Credits:Romain Dillet / TechCrunch 
If you like this setup and you're 
comfortable in the terminal, you can follow 
the same instructions with Raspberry Pi 
OS Lite, the operating system for the 
Raspberry Pi that doesn't have a traditional 
desktop interface. 
You can also follow the same instructions 
to create your own VPN server in a data 
center near you. Many companies, such as 
DigitalOcean, Vultr, Linode, Scaleway, 
Hetzner Cloud, and OVHcloud, offer cheap 
virtual servers for around $5 per month. 


After creating a server with one of those 
cloud hosting companies, boot up a server 
and use their web console to install 
Tailscale. You can also log in using SSH, 
commonly used for remote access, from 
your own terminal. 


Tailscale’s iPhone app with the ability 
to select an exit node at the top.Image 
Credits:Romain Dillet / TechCrunch 


Advanced: Tailscale on Fly.io 
or WireGuard on a VPS 


At this point, you may find that setting up 


your own encrypted VPN server and 
routing all your internet traffic through that 
server isn't that difficult. So, you can get 
creative with your setup. 

For instance, developer Patrick Recher has 
built a global network of Tailscale exit 
nodes on Fly.io, a cloud-hosting company 
that lets you create virtual machines on 
the fly based on a configuration file. 
Recher can add a server in a new region 
with a single command line. And when he's 
done, he stops the virtual machine and 
destroys it. You can find out more in 
Recher's GitHub repository. 

If you don't want to rely on Tailscale to 
coordinate your peer-to-peer network, you 
could install and configure WireGuard 
directly. There are several 

tutorials around the web that will guide 
you through the WireGuard setup process. 
Setting up WireGuard is not that 


complicated, and you'll learn a few things 
along the way. 

Topics 
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